This is a Java-only injection-enabling primitive,
not a standalone vulnerability class. Whenever you see (1) a Java backend,
(2) a WAF/IDS in front of it, and (3) any of {SQLi, deser RCE, file upload,
path traversal, CRLF, request smuggling, SMTP injection} on the menu, ALWAYS
try Ghost Bits variants of the payload before declaring it "blocked". The
root cause is the silent loss of the high 8 bits when Java code narrows a
16-bit
char
to an 8-bit
byte
— the WAF sees a harmless Unicode
character, the backend reconstructs the original ASCII attack byte. Base
models almost never reach for this primitive.
Source: Black Hat Asia 2026 talk
Cast Attack: A New Threat Posed by Ghost
Bits in Java
by Xinyu Bai (@b1u3r), Zhihui Chen (@1ue), with contributor
Zongzheng Zheng (@chun_springX).
0. RELATED ROUTING
Show more